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The Claims 



1-2. (Canceled) 

3. (Previously presented) A computerized method for key-based 
secure storage comprising: 

downloading information and an access predicate that specifies 
requirements for an application to access the information; 
generating a seed value; 

producing a hash seed value based on the seed value using a one-way hash 
function; 

generating an application storage key from the hash seed value; 
encrypting the information using the application storage key; and 
associating the access predicate with the encrypted information. 

4. (Previously presented) A computerized method for key-based 
secure storage comprising: 

downloading information and an access predicate that specifies 
requirements for an application to access the information; 
generating a seed value; 

producing a first hash seed value based on the seed value using a one-way 
hash function; 

producing a second hash seed value based on the seed value and a user 
identifier using a keyed hash function; 

generating a user storage key from the second hash seed value; 
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encrypting the information using the user storage key; and 
associating the access predicate with the encrypted information. 

5. (Canceled) 

6. (Previously presented) A computerized method for key-based 
secure storage comprising: 

downloading information and an access predicate that specifies 
requirements for an application to access the information; 
obtaining a storage key; 

encrypting the information using the storage key; 

associating the access predicate with the encrypted information; 

obtaining an operating system storage key; 

encrypting the access predicate with the operating system storage key; and 
encrypting a plurality of other storage keys using the operating system 

storage key, wherein the other storage keys are selected from the group consisting 

of application storage keys and user storage keys. 

7. (Previously presented) A computerized method for key-based 
secure storage comprising: 

downloading information and an access predicate that specifies 
requirements for an application to access the information; 
obtaining a storage key; 

encrypting the information using the storage key; 

associating the access predicate with the encrypted information; 



lee@hayes pne 509*324*9256 



3 



Application No. 09/227,568 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 



generating a seed value; 

generating an operating system storage key based on the seed value; and 
encrypting the access predicate with the operating system storage key. 

8. (Previously presented) A computerized method for key-based 
secure storage comprising: 

downloading information and an access predicate that specifies 
requirements for an application to access the information; 

generating a seed value for the application; 

producing an application hash seed value based on the seed value for the 
application using an application-specific one-way hash function; 

generating an application storage key from the application hash seed value; 
generating a seed value for a user; 

producing a first user hash seed value based on the seed value for the user 
using a one-way hash function; 

producing a second user hash seed value based on the first user hash seed 
value and a user identifier using a keyed hash function; 

generating a user storage key from the second user hash seed value, the 
application storage key and the user storage key to encrypt information containing 
a portion specific to an application and a portion specific to the user; 

encrypting the information using the application storage key and the user 
storage key; and 

associating the access predicate with the encrypted information. 
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9. (Previously presented) A computerized method for key-based 
secure storage comprising: 

downloading information and an access predicate that specifies 
requirements for an application to access the information; 
obtaining a storage key; 

encrypting the information using the storage key; 
associating the access predicate with the encrypted information; 
storing the storage key in a key vault provided by a third-party; and 
recovering the storage key from the key vault. 

10. (Original) The computerized method of claim 9, wherein 
recovering the storage key comprises: 

requesting recovery of the storage key; and 

providing information to the third-party to enable validation of the request. 

11. (Previously presented) The computerized method of claim 9, 
further comprising: 

selecting the key vault from a plurality of key vaults provided by a trusted 
operating system. 

12. (Previously presented) The computerized method of claim 9, 
further comprising: 

selecting the key vault designated by a provider of the information. 

13-14. (Canceled) 
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1 5 . (Previously presented) A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through a system bus; 
a computer-readable medium coupled to the processing unit through a 
system bus; 

a generate key function executed from the computer-readable medium by 
the processing unit, wherein the generate key function causes the processing unit 
to generate an operating system storage key based on an identity for the operating 
system and based on a seed. 

1 6. (Previously presented) A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through a system bus; 
a computer-readable medium coupled to the processing unit through a 
system bus; 

a generate key function executed from the computer-readable medium by 
the processing unit, wherein the generate key function causes the processing unit 
to generate an operating system storage key based on an identity for the operating 
system; 

an application specific one-way hash function executed from the 
computer-readable medium by the processing unit, wherein the application 
specific one-way hash function causes the processing unit to generate an 
application storage key from a hashed seed; and 
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a generate application key function executed from the computer-readable 
medium by the processing unit, wherein the generate application key function 
causes the processing unit to generate the hashed seed from an application seed. 

1 7. (Previously presented) A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through a system bus; 
a computer-readable medium coupled to the processing unit through a 
system bus; 

a generate key function executed from the computer-readable medium by 
the processing unit, wherein the generate key function causes the processing unit 
to generate an operating system storage key based on an identity for the operating 
system; 

a key-hash function executed from the computer-readable medium by the 
processing unit, wherein the key-hash function causes the processing unit to 
generate a user storage key from a hashed seed and an identity for the user; 

a one-way hash function executed from the computer-readable medium by 
the processing unit, wherein the one-way hash function causes the processing unit 
to generate the hashed seed from a previously hashed seed; and 

a generate user key function executed from the computer-readable medium 
by the processing unit, wherein the generate user key function causes the 
processing unit to generate the previously hashed seed from a user seed. 

18. (Canceled) 



lee ©haves pac 509-324-9256 



7 



Application No. 09/227,568 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 



19. (Currently amended) A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through a system bus; 
a computer-readable medium coupled to the processing unit through a 
system bus; and 

a trusted operating system executed from the computer-readable medium by 
the processing unit, wherein the trusted operating system causes the processing 
unit to: 

encrypt downloaded information using a storage key based on a seed 

value, 

te encrypt an access predicate associated with the downloaded 
information using an operating system storage key, 

te encrypt the seed value for the storage key using the operating 
system storage key, and 

te associate the encrypted access predicate with the encrypted seed 

value. 

20. (Previously presented) The computer system of claim 19, 
wherein the trusted operating system further causes the processing unit to validate 
each application requesting access to the downloaded information using the access 
predicate, and decrypts the seed value for use by a validated application. 

21. (Previously presented) The computer system of claim 19, 
wherein the storage key used to encrypt the downloaded information is specific to 
an application. 
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22. (Previously presented) A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through a system bus; 
a computer-readable medium coupled to the processing unit through a 
system bus; and 

a trusted operating system executed from the computer-readable medium by 
the processing unit, wherein the trusted operating system causes the processing 
unit to encrypt downloaded information using a storage key based on a seed value, 
and wherein the storage key used to encrypt the downloaded information is 
specific to a user. 

23-24. (Canceled) 

25. (Previously presented) A computerized method for key-based 
secure storage comprising: 

downloading information and an access predicate that specifies 
requirements for an application to access the information; 

obtaining a storage key; 

encrypting the information using the storage key; 
associating the access predicate with the encrypted information; 
storing the storage key in a key vault provided by a third-party; 
recovering the storage key from the key vault; and 

selecting the key vault from a plurality of key vaults provided by an 
authenticated operating system. 
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26. (Canceled) 



27. (Previously presented) A computer system comprising: 
a processing unit; 

a system memory coupled to the processing unit through a system bus; 
a computer-readable medium coupled to the processing unit through a 
system bus; and 

an authenticated operating system configured to execute on the processing 
unit from the computer-readable medium, the authenticated operating system 
causing the processing unit to encrypt downloaded information using a storage key 
based on a seed value; 

wherein the authenticated operating system further causes the processing 
unit to encrypt an access predicate associated with the downloaded information 
using an operating system storage key, to encrypt the seed value for the storage 
key using the operating system storage key, and to associate the encrypted access 
predicate with the encrypted seed value. 

28. (Previously presented) The computer system of claim 27, wherein 
the authenticated operating system further causes the processing unit to validate 
each application requesting access to the downloaded information using the access 
predicate, and decrypts the seed value for use by a validated application. 
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29. (Previously presented) The computer system of claim 27, wherein 
the storage key used to encrypt the downloaded information is specific to an 
application. 

30. (Previously presented) The computer system of claim 27, wherein 
the storage key used to encrypt the downloaded information is specific to a user. 
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